This article was originally published by Trevor K Nelson.

We hear (and use) the terms Risk Identification and Risk Management to generally mean two distinct things. The identification of potential risks, and then after they’re identified, the management/mitigation to prevent those possibilities. But in reality they’re variations of the same process.

True. Risk Identification is the process of simply that – identifying potential risks to the project. And Risk Management is the process of mitigating against those potential risks.

But it doesn’t stop there. Risk Identification isn’t something that’s done a the beginning of the project, and then you shift to Risk Management. Risk identification is an ongoing process that should be done (at the very least) at the beginning of each new phase. Each new phase, each new work package, each new interaction with a vendor sets the stage for new potential risks.

Risk identification and management are much like the processes of Monitoring & Controlling in that they run from the beginning of the project all the way through to the Close. And if done correctly, most PM’s will spend far more time in Risk Identification (looking for risks) than in Risk Management (reacting to manifesting risks). The additional time spent identifying the possible risks will help to avoid them in the first place.

Forgetting to continually update the Risk Register is a risk in and of itself. And one that’s probably not on the Register itself.